Electronic health information and privacy

September 19, 2006

The federal government is building a domestic spy network unlike any the world has ever seen. When it's complete, every keystroke you make on a computer and every automated transaction that has ever involved you will be captured, correlated and relentlessly mined by dozens of federal agencies day in and day out.

While privacy advocates and the nation's big newspapers and networks battle the federal government over the National Security Agency's phone record collection and the Treasury Department's fishing expedition through international banking records, federal domestic spying programs are mushrooming.

While sleeker, sexier federal data-mining programs that purport to target terrorists make headlines across the nation, dozens of federal spy programs that are just as invasive in scope, if not more so, get scant attention.

Unlike the NSA and Treasury spy programs, the U.S. Mint program that trawls through your credit card data when you make online purchases isn't aimed at terrorists.

The Mint program turned up in a 2004 GAO audit, along with about 200 other so-called data-mining programs, over 50 of which are designed to scour personal data and information purchased from the private sector for patterns of criminal and terrorist activity.

A recently launched program called Reveal uses commercial software to troll through multiple databases of financial transactions between individuals and institutions in search of suspicious links in the data that could indicate everything from individual income tax evasion to financial crimes or terrorist activity.

A business that wants to market its products to small home-based businesses might mine phone records to see who has a home phone and a fax number at the same address, on the theory that they might be running a home-based business.

They may be wrong in half the cases, Herb Edelstein, the president of Two Crows Consulting and an expert in data-mining, says, but if they are right in the other half, their marketing dollars may be well spent.

At the moment, Edelstein says, the government is still in the phase of exploring data-mining to see what it can do, and there has been a definite swing away from protecting personal privacy.

"After 9/11, the government said if private industry is doing this, we should, too, and maybe we can figure out who the bad guys are," said Edelstein.

Meanwhile, the federal government is plowing ahead with the parts of the federal information sharing system it can build now in anticipation of the day when the whole system is up and running.

Special Agent In Charge Pam Tully, a veteran of the North Carolina State Bureau of Investigation, says that the center's databases will all run on the same global standards others across the nation use.

Going to the doctor has never been high on the list of good times, but you could at least get through the examination with the knowledge that whatever you and your doctor discuss is kept safe and confidential. Until now, that is.

A new report commissioned by major players in the health care industry has found that not only is collection and control of individuals' health data by providers accelerating, but that the data is extensively traded and resold for other purposes.

The report, commissioned by the American Medical Informatics Association (AMIA), found that although the Health Insurance Portability and Accountability Act (HIPAA) has strict rules governing the sharing of information by direct health care providers and insurers, it has no protection for the "secondary" market.

The report cited instances of patients being pressured to waive their privacy rights in order for providers to use their data, or the abuse of health care data by third parties.

The report was commissioned by an expert panel that included pharmaceutical heavyweights GlaxoSmithKline and Pfizer, medical experts and academics, and representatives from government agencies such as the Department of Health and Human Services (HHS) and the Centers for Disease Control (CDC).

British Columbians can be thankful that only the provincial government acted wrongly in the treatment of 41 sensitive computer tapes, according to the executive director of the B.C. Freedom of Information and Privacy Association, Darrell Evans.

Evans was commenting on a report by the B.C. Chief Information Office on the sale at public auction of the government tapes, which contained the personal records of thousands of citizens.

"There needs to be a cultural change within both the public sector and the private sector regarding respect for people's private information," Evans said.

Labour and Citizens' Services Minister Mike de Jong, who is responsible for the government's information policies, subsequently banned the sale of all computers and related media.

In his March 24 report, B.C. Chief Information Officer Dave Nikolejsin found that the sale of the tapes occurred due to a combination of procedural and human errors.

"We have some quite good policy, but there's some significant gaps in how well it's implemented," Nikolejsin said, "and the challenge becomes closing those gaps."

He added that there are many incidents of inappropriate access to computer records-- especially in the private sector--many of which are never reported.

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms.

The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.

Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case.

According to court records the massive T-Mobile breach first came to the government's attention in March 2004, when a hacker using the online moniker "Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.

By August 5th the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server -- a host that would pass through Web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York.

On October 27th, law enforcement agencies dropped the hammer on Operation Firewall, and descended on fraud and computer crime suspects across eight states and six foreign countries, arresting 28 of them. Jacobsen, then living in an apartment in Santa Ana in Southern California, was taken into custody by the Secret Service. He was later released on bail with computer use restrictions.

Information obtained from Lembo's computers indicate he had upper-level bank employees accessing individual account information from their respective banks. He then sold that information to clients, including over 40 law firms and collection agencies.

DRL also managed to obtain employment information from the manager of the New Jersey Department of Labor in Jersey City.

The B.C. government and Telus have tightened the way electronic records are handled at a Victoria data centre after computer tapes containing personal information on hundreds of thousands of B.C. residents were discovered missing.

A copy of the report was obtained by ITBusiness.ca last week under a freedom-of-information request, although more than a dozen pages and parts of many others were withheld on grounds that their release could harm the security of a computer system.

“A large number of persons had access to the data centre during that time, which made it difficult to isolate who was involved,” according to the report. It adds that last year's labour dispute between Telus and its staff also limited the investigation: "A number of Telus personnel, who would normally have been interviewed, were unavailable due to an ongoing labour dispute."The report says that there has been a "significant turnover" of staff at the data centre since July, 1998.Labour and Citizens' Services Minister Olga Ilich said the problems stem from the NDP era, when the government of the day contracted out storage of government computer tapes to Telus, on July 12, 1998.Ilich added that her ministry has contacted the office of the B.C. Information and Privacy Commissioner, which told ministry staff that the government has done everything necessary to protect the records.Bill Trott, the acting director of the Office of the Information and Privacy Commissioner, confirmed that his office was made aware of the missing tapes.

Honeywell employees in South Bend and elsewhere have been alerted to a computer security breach that might have put their personal information at risk.

The almost three-year-old data was discovered online Friday, and taken down immediately, said the e-mail message from John McClurg, vice president of global security for the Morristown, N.J.-based company. The company did not know whether the information was taken directly from Honeywell or from one of its service providers, McClurg's e-mail said.He also said it is not known how it was obtained or who was responsible for posting it online.

"We are working with federal and state law enforcement agencies, including the FBI, to find the responsible party, determine what happened and take appropriate action," McClurg wrote.

The company on Tuesday issued a statement echoing McClurg's e-mail, and added that it will provide assistance to affected employees, including credit monitoring and identity theft insurance.

The Honeywell data is the second instance of a major South Bend company or institution reporting a problem with personal information on its computers.On Saturday, the University of Notre Dame alerted some of its donors that images of checks they mailed might have been viewed by an outside party on Jan. 13.o

A federal grand jury has indicted a former San Jose Medical Group employee for stealing computer equipment from the health care provider, including a digital video disc containing medical records for approximately 200,000 group patients.

Joseph Nathaniel Harris, 43, is currently free on $25,000 bail. He was arrested on Jan. 3. If convicted he faces a possible 10-year prison sentence.

According to federal prosecutors, Harris, a branch manager for the medical group, was asked to resign in the fall of 2004. The following March, group employees discovered computer equipment was missing from the organization's main office, including the DVD. The FBI began an investigation and allegedly discovered the DVD in Harris's car.

Blue Cross and Blue Shield says a contractor took about 27,000 names and Social Security numbers. Company spokeswoman Lisa Acheson Luther says the contractor had access to a database of identification badge information and transferred it via e-mail to a home computer.

One of those affected, is a Jacksonville woman, who asked we only identify her as Amanda.

She worked for Blue Cross in the last five years and was notified by email her information was stolen.

Blue Cross is notifying those affected and will provide them with a year's worth of free credit monitoring service.

The company is not aware of any instances where the stolen information has been used to commit identity theft or otherwise be misused.

This is the second time in less than a year Blue Cross and Blue Shield of Florida has had to deal with inadvertent disclosure of personal information.

In August, the company accidentally disclosed Social Security numbers of almost 200 long-term care policy holders in a mass mailing.

If you feel your information has been given out, contact BCBS at 1-800-461-1719.